GRE Tunnel not coming up

ittechk4u1 · ‎05-01-2017

With Crypto, GRE tunnel is not coming up.

Without Crypto GRE tunnel is up and working!!

Can anyone suggets me the reason!!!

Thanks

Georg Pauwen · ‎05-01-2017

Hello,

post the configs if possible.

What do the logs show ?

ittechk4u1 · ‎05-01-2017

Thanks

nurbol555 · ‎05-01-2017

Hello

It seems your ipsec configuration is not full

https://learningnetwork.cisco.com/docs/DOC-2457 try configuration like this

ittechk4u1 · ‎05-01-2017

which commands are missing in my config ?

Georg Pauwen · ‎05-01-2017

Hello,

so you have multiple tunnels on the same router ?

Since we don't know your full setup, this is just guesswork, but try and add the 'shared' keyword to the end of your tunnel protection statement:

tunnel protection ipsec profile test_vpn_profile_aes shared

ittechk4u1 · ‎05-01-2017

My setup:

VPN2 is a central router which is handling more then 70 VPN tunnels across the world.

VPN2 router has 2 tunnels to a remote router with primary IP 195.38.41.196(tunnel250) and secondary IP :195.38.41.197(450)

VPN1 is remote location router.

getting the error:

VPN2(config-if)# tunnel protection ipsec profile test_vpn_profile_aes shared
Error: Tunnel450 - Shared tunnel protection is not supported when tunnel source is specified as an IP address. Configure "tunnel source <interface>" when using shared tunnel protection.

Thanks

Georg Pauwen · ‎05-02-2017

Hello,

post the configs of both the primary and the backup tunnel, including the full ipsec profile configuration. You are probably missing something...

ittechk4u1 · ‎05-02-2017

Thanks

Support07 · ‎05-02-2017

Hello,

your configuration looks fine, on your gateway of VPN1, I'm speaking about

117.247.31.145 , do you have any access-group configured on interface ?

are you not denying isakmp protocol or ESP protocol ?

Georg Pauwen · ‎05-02-2017

Hello,

is the setup with secondary IP addresses as tunnel sources working with your others sites ? I am not sure if that setup works...

You can use the same (primary) IP address as tunnel source for different tunnels, as long as the destinations are different. Also, if you specify the interface as the source, you can add the 'shared' keyword, and you don't need different IPSec profiles.

So, try to add the interface as the source for both tunnels, and not a secondary IP address.

ittechk4u1 · ‎05-02-2017

yes...its working for 50 sites.

Central routers:

1-

Primary interface(xxx.xxx.xxx.104) - Tunnel 1

secondary Interface(xxx.xxx.xxx.105) - Tunnel 3

2-

Primary interface(xxx.xxx.xxx.196) - Tunnel 2

secondary Interface(xxx.xxx.xxx.197) - Tunnel 4

Thanks

Support07 · ‎05-02-2017

Wich kind of cisco router is it ?

Please enable debug crypto isakmp and ipsec as said a.alekseev

you can also create an ACL to see if you're receving any isakmp packet

ip access-list extended TEST
permit udp host 195.38.41.197 host 117.247.31.146 eq isakmp
permit esp host 195.38.41.197 host 117.247.31.146
permit ip any any

int g0/2

ip access-group TEST in

ittechk4u1 · ‎05-02-2017

Its a 2911 router in remote location....

Please check the debug logs in my last post...

here is the access-list output:

VPN1#sh access-lists
Extended IP access list TEST
    10 permit udp host 195.38.41.197 host 117.247.31.146 eq isakmp (7 matches)
    20 permit esp host 195.38.41.197 host 117.247.31.146
    30 permit ip any any (27255 matches)

Thanks

a.alekseev · ‎05-02-2017

I think that you can not use secondary ip address for IPSec. It'll work with pure gre but not with IPsec.